A common problem that occurs in a Local Area Network (LAN) or other IP networks is when one network device connected to the network adversely affects the entire network performance. The behavior of that offending network device often impacts normal network performance. Usually, it is necessary to determine where the offending network device is physically located in a building and its connection status to network switches and other network resources or network devices. This information needs to be determined quickly so action can be taken to restore the network to normal performance.
It is well known that each network device includes a universally unique identifier as its Media Access Control (MAC) address. In a network that uses a plurality of network switches, for example, layer 2 Ethernet switches, each network switch maintains a table of MAC addresses and the physical port on which that MAC address was learned. For example, a faulty network device could have a bad MAC card and transmit packets in an out-of-control manner. In another example, a server could use an IP address of x.x.x.x with its MAC information and address. A computer as a network device could previously have had that IP address of x.x.x.x. The user of that computer may not have used that computer for six months. When the offending user boots six months later, that user maintains the static IP address of x.x.x.x for their computer, which advertises itself to the network and other users as that IP address. In operation, other users (including the offending user) may be trying to access the server that has the IP address of x.x.x.x. Because traffic is redirected from that correct server to the computer of the offending user, the network does not operate properly. Again, the offending computer with the wrong IP address needs to be located quickly and efficiently. Even worse is when an offending user must be located because of malicious behavior. Then it often becomes more critical to locate the offending user quickly and efficiently.
One current solution to locate the offending network device and its MAC address is for a technician or other user to log-in manually into each network switch and determine if the offending or faulty network device is directly connected to that network switch and take any necessary actions such as shutting down the port, isolating the offending or faulty network device on a separate VLAN, rate limiting that offending or faulty network device, blocking all traffic from that located MAC address and/or similar solutions. This manual log-in technique is a lengthy, cumbersome process, especially in larger networks where there are many network switches to search. Also, a detailed knowledge of the network architecture is required, thus requiring the technician hunting for the offending network device to determine if the device is directly connected to the network switch or if the MAC address was learned on a switchport that is tied to another network switch. For example, the faulty or offending network device could be located multiple hops away.